Browser Tracking Is Possible Even with JavaScript Disabled
A group of researchers from Ben-Gurion University (Israel), the University of Adelaide (Australia), and the University of Michigan (USA) have presented a research paper titled βPrime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses,β focused on side-channel attacks using web browsers.
In their report, the researchers demonstrate that side-channel attacks on browsers remain possible despite all efforts by developers and all implemented countermeasures. Even worse, such attacks work even in privacy-focused browsers that have been specifically protected against Spectre-type attacks, including the Tor browser, Chrome with the Chrome Zero extension, and Firefox with the DeterFox extension.
The experts note that even with JavaScript completely disabled, a side-channel attack based solely on HTML and CSS can still lead to the leakage of a significant amount of data from the browser. This leakage (even without JS) is enough to identify and track users with slightly less accuracy, for example, by determining which websites a person has visited.
The report emphasizes that the attacks were tested not only against browsers running on Intel processors (which have historically been most vulnerable to side-channel attacks), but also against browsers running on Samsung Exynos, AMD Ryzen, and even the new Apple M1 chips. As a result, this research marks the first time a side-channel attack has worked against the Apple M1.
The researchers state that they notified engineers at Intel, AMD, Apple, Chrome, and Mozilla about their findings before publishing the research, but it is not reported what responses were received from the manufacturers.
It is worth noting that Google Chrome developers recently acknowledged that, even with the new Site Isolation feature, it is impossible to completely block side-channel attacks in modern browsers. Google engineers have also mentioned that side-channel attacks will soon no longer require JavaScript and will be carried out using only CSS. To address these issues, they urge developers to reconsider their approach to website design and data handling.